# IE 7,8,9 Browsing History

## Overview

**Evidence:** IE 7,8,9 Browsing History\
**Description:** Collect visited URLs from Internet Explorer\
**Category:** Applications\
**Platform:** windows\
**Short Name:** ihst\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

Internet Explorer 7, 8, and 9 store browsing history in index.dat files using the MSIECF (Microsoft Internet Explorer Cache File) format. These files contain URLs visited, access timestamps, and visit counts.

Index.dat files are located in various user profile directories depending on Windows version (XP vs Vista+).

## Data Collected

This collector gathers structured data about ie 7,8,9 browsing history.

### IE 7,8,9 Browsing History Data

| Field                | Description             | Example                   |
| -------------------- | ----------------------- | ------------------------- |
| `BrowserAccessTime`  | When URL was accessed   | 2023-10-15T14:30:00       |
| `BrowserAccessCount` | Number of times visited | 5                         |
| `BrowserURL`         | URL visited             | <https://www.example.com> |
| `Browser`            | Browser identifier      | IE 7-8-9                  |

## Collection Method

This collector:

* Searches for index.dat files in multiple locations:
  * Legacy XP paths in `Documents and Settings`
  * Vista+ paths in `Users\*\AppData\Local\Microsoft\Windows`
* Collects index.dat files
* Parses using libmsiecf library
* Extracts URLs, timestamps, and visit counts

## Forensic Value

IE browsing history reveals web activity and can indicate phishing, malware downloads, or unauthorized access. Investigators use this data to reconstruct web browsing activity, identify malicious websites visited, detect phishing attacks, correlate with downloads and malware infections, and establish user intent through browsing patterns.